Security Incidents mailing list archives
Fw: Hybris worm
From: Philippe Bourcier <philippe () CYBERABUSE ORG>
Date: Sun, 3 Dec 2000 01:20:07 +0100
I forward this message I received after my 1st post to the list about Hybris because I also recently seen those trojan mails with an empty "from:". Philippe Bourcier ------------------------------------- www.documents.cyberabuse.org
We have had quite a large problem with Hybris here (in Greece). It was at first sending itself to recipients using an email address of hahaha () sexyfun net, however recently it has started using an empty "mail from:". (You can read more about this on page 15 of RFC 821, and in the "SMTP REQUIREMENTS" section of RFC 1123"). Note that an empty mail from is a feature of the SMTP protocol that is REQUIRED for most mail servers. Having a blank mail from: basically means it cannot be filtered by the use of access_db or its equivelent in other mailers (I'm using Sendmail). You can however block it by modifying sendmail.cf. Although, the only mail servers on which it seems acceptable to deny an empty mail from: are those which do not act as an MX for a domain, and therefore will never receive
any
notification messages from SMTP daemons. Reading the relevant sections of the above mentioned RFC's should clear up any confusion about this subject. :)
A Greek administrator (who wanted to remain unknown)
Current thread:
- Hybris worm Philippe Bourcier (Dec 01)
- Re: Hybris worm jkruser (Dec 01)
- <Possible follow-ups>
- Fw: Hybris worm Philippe Bourcier (Dec 05)